Full Report
A vulnerability has been discovered in pac4j-jwt (JwtAuthenticator) which could allow for authentication bypass. pac4j-jwt is a Java module within the pac4j security framework designed for generating, validating, and managing JSON Web Tokens (JWT) to secure web applications and services. It supports signed and encrypted tokens, primarily using the Nimbus JOSE+JWT library to handle authentication, profile generation, and signature configuration. Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to bypass authentication and authenticate as any user (including administrator), with any role, without knowing a single secret.
Analysis Summary
# Vulnerability: pac4j-jwt (JwtAuthenticator) Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-29000
- **CVSS Score:** Critical (Assumed High/Critical based on "High" impact for all sectors)
- **CWE:** CWE-287 (Improper Authentication) / CWE-347 (Improper Verification of Cryptographic Signature)
## Affected Systems
- **Products:** pac4j-jwt (a Java module within the pac4j security framework)
- **Versions:**
- 4.x versions prior to 4.5.9
- 5.x versions prior to 5.7.9
- 6.x versions prior to 6.3.3
- **Configurations:** Systems utilizing the `JwtAuthenticator` component to process encrypted JSON Web Tokens (JWE).
## Vulnerability Description
A logic flaw exists within the `JwtAuthenticator` component during the processing of encrypted JSON Web Tokens (JWE). Specifically, the library fails to properly validate the cryptographic signature on these tokens. Since the flaw allows an attacker to bypass signature verification using only the server's publicly available RSA key, they can craft a forged JWT containing arbitrary claims.
## Exploitation
- **Status:** PoC available (Proof of concept code released by CodeAnt AI)
- **Complexity:** Low (Requires only the publicly available RSA key of the server)
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to any user account and profiles)
- **Integrity:** High (Ability to authenticate with any role, including administrator)
- **Availability:** Low/Medium (Depending on administrative actions taken by the attacker)
## Remediation
### Patches
Users should upgrade to the following versions or newer:
- **4.x line:** Upgrade to 4.5.9
- **5.x line:** Upgrade to 5.7.9
- **6.x line:** Upgrade to 6.3.3
### Workarounds
No specific configuration workarounds were provided in the advisory; immediate patching is the recommended course of action due to the availability of PoC code.
## Detection
- **Indicators of Compromise:** Unusual administrative logins or account activity originating from unexpected IP addresses; JWTs that utilize encryption (JWE) but may have signatures that do not match known valid sources.
- **Detection methods and tools:**
- Perform automated vulnerability scans using SCAP-compliant tools.
- Review application logs for `JwtAuthenticator` errors or anomalous profile generation.
- Audit security configurations to ensure the latest versions of the pac4j framework are deployed.
## References
- **Vendor Advisory:** hxxps[://]www[.]pac4j[.]org/blog/security-advisory-pac4j-jwt-jwtauthenticator[.]html
- **MITRE CVE:** hxxps[://]cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2026-29000
- **Researcher Analysis (CodeAnt AI):** hxxps[://]www[.]codeant[.]ai/security-research/pac4j-jwt-authentication-bypass-public-key